ASA Ipsec VPN site to site

I have a new ASA i'm putting in a new Colo site, I'm wanting to get as much configuration done as possible before i head there, can i setup that side of the IPSEC tunnel ahead of time and when i rack it and connect  it will connect automatically. Or does it have to be done live?
LVL 1
leadthewayAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Pete LongTechnical ConsultantCommented:
Yes of course, amd make sure you can manage the device from your main site in case there's a problem.

Cisco ASA 5500 Site to Site VPN (From CLI)

Cisco ASA – Allow Remote Management

Pete
0
leadthewayAuthor Commented:
allowing access to one address externally, I'd have to use the NAT ip address of the site that needs to remotely access correct?

So from my office to access the new ASA

ssh 12.8.x.x 255.255.255.255 outside
0
leadthewayAuthor Commented:
also what if i have multiple subnets on each side that the other needs access to?

PetesASA(config)#object network Site-A-SN
PetesASA(config-network-object)#subnet 10.254.254.0 255.255.255.0
PetesASA(config)#object network Site-B-SN
PetesASA(config-network-object)#subnet 172.16.254.0 255.255.255.0
PetesASA(config)#access-list VPN-INTERESTING-TRAFFIC line 1 extended permit
ip object Site-A-SN object Site-B-SN
PetesASA(config)#nat (inside,outside) source static Site-A-SN Site-A-SN
destination static Site-B-SN Site-B-SN no-proxy-arp route-lookup
Firewall Running an OS Earlier than 8.3(x)

so i just need to create network objects for each subnet?
0
Pete LongTechnical ConsultantCommented:
>>I'd have to use the NAT ip address of the site that needs to remotely access correct?

Yes!  allow access from your public IP :)

>>so i just need to create network objects for each subnet?

Yes! dont forget to add a nat examption for them as well!

Pete
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.